Security Amplification for the Composition of Block Ciphers: Simpler Proofs and New Results

Security amplification results for block ciphers typically state that cascading (i.e., composing with independent keys) two (or more) block ciphers yields a new block cipher that offers better security against some class of adversaries and/or that resists stronger adversaries than each of its components. One of the most important results in this respect is the so-called “two weak make one strong” theorem, first established up to logarithmic terms by Maurer and Pietrzak (TCC 2004), and later optimally tightened by Maurer, Pietrzak, and Renner (CRYPTO 2007), which states that, in the information-theoretic setting, cascading \(F\) and \(G^{-1}\), where \(F\) and \(G\) are respectively \((q,\varepsilon _F)\)-secure and \((q,\varepsilon _G)\)-secure against non-adaptive chosen-plaintext (NCPA) attacks, yields a block cipher which is \((q,\varepsilon _F+\varepsilon _G)\)-secure against adaptive chosen-plaintext and ciphertext (CCA) attacks. The first contribution of this work is a surprisingly simple proof of this theorem, relying on Patarin’s H-coefficient method. We then extend our new proof to obtain new results (still in the information-theoretic setting). In particular, we prove a new composition theorem (which can be seen as the generalization of the “two weak make one strong” theorem to the composition of \(n>2\) block ciphers) which provides both amplification of the advantage and strengthening of the distinguisher’s class in some optimal way (indeed we prove that our new composition theorem is tight up to some constant).

[1]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[2]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[3]  Ueli Maurer,et al.  Cascade Encryption Revisited , 2009, ASIACRYPT.

[4]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[5]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[6]  Giovanni Di Crescenzo,et al.  Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers , 1998, CRYPTO.

[7]  Serge Vaudenay,et al.  Provable Security for Block Ciphers by Decorrelation , 1998, STACS.

[8]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[9]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[10]  Jacques Patarin,et al.  New Results on Pseudorandom Permutation Generators Based on the DES Scheme , 1991, CRYPTO.

[11]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[12]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[13]  Yehuda Lindell,et al.  More Efficient Constant-Round Multi-Party Computation from BMR and SHE , 2016, IACR Cryptol. ePrint Arch..

[14]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[15]  Phong Q. Nguyen,et al.  Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[16]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[17]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[18]  Krzysztof Pietrzak Composition Does Not Imply Adaptive Security , 2005, CRYPTO.

[19]  Hideki Imai,et al.  On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[20]  Phillip Rogaway,et al.  On Generalized Feistel Networks , 2010, CRYPTO.

[21]  Moni Naor,et al.  Derandomized Constructions of k-Wise (Almost) Independent Permutations , 2005, Algorithmica.

[22]  Serge Vaudenay,et al.  Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness , 1999, Selected Areas in Cryptography.

[23]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[24]  Krzysztof Pietrzak Indistinguishability and composition of random systems , 2006 .

[25]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[26]  Serge Vaudenay,et al.  On the Pseudorandomness of Top-Level Schemes of Block Ciphers , 2000, ASIACRYPT.

[27]  Ueli Maurer,et al.  Computational Indistinguishability Amplification: Tight Product Theorems for System Composition , 2009, IACR Cryptol. ePrint Arch..

[28]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[29]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[30]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[31]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[32]  Krzysztof Pietrzak Composition Implies Adaptive Security in Minicrypt , 2006, EUROCRYPT.

[33]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[34]  Yannick Seurin,et al.  Security Analysis of Key-Alternating Feistel Ciphers , 2014, FSE.

[35]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[36]  Phillip Rogaway,et al.  How to Encipher Messages on a Small Domain , 2009, CRYPTO.

[37]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[38]  Jacques Patarin Pseudorandom Permutations Based on the D.E.S. Scheme , 1990, ESORICS.

[39]  Michael Luby,et al.  Pseudo-random permutation generators and cryptographic composition , 1986, STOC '86.

[40]  Jooyoung Lee,et al.  Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption , 2013, EUROCRYPT.

[41]  Steven Myers,et al.  Black-Box Composition Does Not Imply Adaptive Security , 2004, EUROCRYPT.

[42]  Ueli Maurer,et al.  Composition of Random Systems: When Two Weak Make One Strong , 2004, TCC.